Hi Philipp We see them a lot lately. This are all forms which pass on some sort of user content back to the alleged subscriber during the subscription process.
So if you can pass a 'firstname' (or any other data) during subscription, and the form which requests a confirmation for this subscription includes that data like: --- Hello 'firstname' thank you for subscribing, please confirm by clicking the link below. --- Now of course the attacker might enter the string 'buy cheap RX drugs: https://bit.bly/vl4gr4-4-ch34p' as firstname and successfully spam this way. As all kind of different form submission tools are abused, I fear there is not much you can do except report to the webmaster of the affected form and also report the email to your choice of DNS Blacklist or URI blacklist to get either the sender IP or the confirmation URL blacklisted. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________